If I have no access to router's arp table, then it's impossible?
–
MacarseJul 5 '09 at 8:57

Yes. ARP is referred to as a non-routable protocol - it won't ever go outside of the local network. If you want to see MAC addresses, you have to be on a link-local device, either directly connected or with enough remote access to enumerate the ARP table.
–
Kyle BrantleyJul 6 '09 at 7:22

It cannot be guaranteed that you can see MAC address of machines behind a router. But there are some protocols that may help you in finding MAC address from anywhere in network. For example to find MAC address of a Windows PC on other network when you know its IP address you can use command

nbtstat -A <IP Address>

To do the same thing from Linux machine (with samba installed) use command

nmblookup -R -S -A <IP Address>

If the machine in question is not a windows machine and there is no way to become part of other subnet. Then the only options are seeing MAC address table in router, or if there is common network wide DHCP server then you can see MAC address in DHCP logs. But I guess you have to be administrator for accessing router or DHCP server.

Hence if there are lot of windows machines on your network you can find MAC address for them even when are not in their subnet. But if network has lot of Linux machines then there is no good very common way to find MAC from other networks.

The above technique wont work on Linux samba servers. They will always return MAC address as 00-00-00-00-00-00.

How can you find the MAC for a particular IP(machine) which is not the part of your subnet?

For the all the machines/IPs on your subnet the IP-MAC table is stored in ARP Cache, locally on your machine. This is the same cache which give "IP resolution conflicts". do a simple

$ arp -a | grep particularIP

Now for the machine outside your subnet -- there is no standard of the shelf application which does that, i tried to think if any ICMP message can do it, but as of now i think there is none. Well the way networking, rather layering is designed, this is a deliberately unwanted behavior. To escape or remove the information which is relevant to layers below the present, and as we across the networks IP is used, so no MAC.

See if you have cooperation at the other machine, you can write a small app, which encapsulates the the mac header and sends to you... ofcourse if u have cooperation from the other machine, why this much of effort a simple ifconfig -a does the job, that to for all the interfaces on that machine.

If the IP in question is not on a directly connected subnet of the router, then the MAC won't be in your router's ARP table.

ARP is only visible / relevant for the last hop of a IP connection (layer 2). Everything between the first routing entity and the last routing entity is layer 3, which doesn't use the ARP of the source or destination entities, but rather the ARP of the next directly-connected routing entity.